Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

In Splunk Enterprise Security, why is the eval field from our correlation search missing in a notable event?

0

I have a correlation search in which I use a simple eval command to create a new field (ex. eval test=123). This fields shows in the search, however, when I set this search as an alert, the eval field I created is missing on the notable event. How do I ensure that this custom field is being sent along with the other data that is sent by default as a notable event?

Thanks for the link, I've followed all of these steps and am still not getting the results I need. When I look at the notable event index and at the event in question, the eval field I created within the correlation search is not present.

So you're creating the field in the search but it's not showing in the results? I'd test this out further separate from a correlation search, and run the search directly in Splunk and see if there is something incorrect in the search syntax.

When I run the search manually and look at the results I can see the field I created. I have this search set as an alert, once triggered it sends the event to the notable event index. When I go and look at the notable event index and specifically at this event my eval field I created does not come over with the other data. Everything else comes over as expected, its just this eval field I created in the search is no longer present.

I've checked this setting was in place as well, but I am still not getting the data. Under the notable index, then the event in questions, the eval field I created is not present even though it shows on the correlation search.

in your eval, you are using ceil to roundup. If you just want to capture the time to a field, you can do eval first_date = _time . or first_time = now() . There is also an existing incident review field called Modication Time, so you could use eval modtime = _time or modify_time = _time to capture time . would this help?

Thanks for your reply. The ceil function was more of just an example, but I tried with your recommendations and still get the same results, no field showing in the notable event, but shows on the correlation search results. The only work around I've found so far is to create the field using the calculated field option, which does work, but this is for all events which is not idea. I'm not sure what I am doing wrong here.

Basically, once you a field defined (your custom field) and added in the 'Incident review-> event attributes, you can force it to appear using fields + . let me know if this fixes and also indicate the version of splunk core and ES.

I just tried using a new simple search with the same eval command you referenced with the fields function, however it seems like you need to add each field individually which is not ideal. Regardless, the new search triggered on an event, I checked the notable event index to look at what was sent over and again the custom eval field is missing. I've also added this field as an event attribute, but this does not matter if the field/data are not found when passing to the notable index. Again just for clarification, my issue is that the correlation search shows the custom field I created in the results with data, when this is a set as an alert and sent to the notable events index, the notable event is now missing that field (both when I tried to look for it using index=notable | search custom_field=* and under the incident review dashboard.

Just to be clear, if you want your custom field to appear in Incident review dashboard against the list of fields in the notable/alert, you need to create that field in Incident-Review -> Event Attributes. There are already about 200+ fields available which can be used to your needs, by way of renaming, e.g. your search/event has name as 'lastname', you can use | eval user_last = lastname, to make use of existing notable event fields. That way you can reuse an existing field. As far as i know, if you cannot re-use an existing field, you will need to define/add it before it can be displayed in the incident review screen for that notable.

Yes, I've gone through adding about a dozen event attributes and have never had this issue before. I have other alerts in which use eval commands and they are passing the eval field I created along to the notable event when generated (I didn't even need to configure anything on incident review to get this to work). I find it strange that in other alerts eval commands are working and when you search for the event in the notable index they are showing. Would a recycle of the services be the best move at this point or is there some way to refresh Splunk from within the UI? Never experienced anything like this before.

As I stated above, I've followed these steps and am still not getting the correct result. When I look under the notable index, then the event in question, I cannot see the eval field I created which shows in the correlation search. Is there anything else that would cause this not to work?

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.